Privacy Policy
Last updated: 2026-04-14 Effective: 2026-04-14
Support Stack Systems BBLLC ("SSS", "we", "us") operates StackAudit (the "Service") at www.supportstacksystems.com and stackaudit.supportstacksystems.com. This Privacy Policy describes how we collect, use, share, and protect personal information when you use the Service.
If you have questions, contact us at privacy@supportstacksystems.com.
1. Information we collect
Information you provide
- Account information. Name, email address, and password (or social sign-in identifier) when you create an account. We use Auth0 to manage identity.
- Company profile. Company name, role, industry, and similar details you enter during onboarding.
- Audit inputs. The software inventory, roles, salaries, and diagnostic responses you enter to generate an audit.
- Support correspondence. Messages you send us by email or contact form.
Information we collect automatically
- Usage data. Pages viewed, features used, approximate location derived from IP, device and browser type.
- Cookies and similar technologies. Session cookies for authentication and functional cookies for user preferences. See the Cookies section below.
Information we collect through integrations (only if you connect them)
- Plaid (banking). When you choose to connect a financial account, Plaid Inc. provides us with transaction metadata (merchant name, amount, date, category) and masked account identifiers. We use this only to detect software subscription charges and present them to you for review. We do not receive your online banking credentials. Plaid's privacy practices are described at https://plaid.com/legal/.
- Future integrations. When you connect additional services (e.g., QuickBooks, Google Workspace, Microsoft 365), we receive only the data necessary to produce your audit, and we tell you what that data is before you connect.
2. How we use information
We use your information to:
- Provide and operate the Service, including generating your audit and showing you detected software subscriptions.
- Authenticate you and secure your account.
- Communicate with you about your account, service updates, and support.
- Comply with legal obligations, including tax and regulatory reporting.
- Detect, prevent, and respond to fraud, abuse, and security incidents.
We do not sell your personal information. We do not use your data to train third-party AI models without your explicit permission.
3. Legal basis (for users where GDPR or similar laws apply)
- Performance of a contract — to provide the Service you signed up for.
- Consent — for optional integrations (e.g., Plaid), for non-essential cookies, and for marketing messages.
- Legitimate interests — to secure the Service and prevent abuse.
- Legal obligation — where required by law.
You may withdraw consent at any time where consent is the basis, without affecting prior processing.
4. How we share information
We share personal information only with the sub-processors listed at /subprocessors and documented in docs/legal/sub-processors.md. Each sub-processor holds a current SOC 2 Type II, ISO 27001, or equivalent attestation and is bound by a data processing addendum. The current sub-processors are:
| Vendor | Purpose | Location |
|---|---|---|
| Auth0 (Okta) | Identity | USA |
| Supabase | Database | USA |
| Vercel | Hosting | USA |
| Plaid | Banking aggregation (only if you connect) | USA |
| Stripe | Payments | USA |
| Resend | Transactional email | USA |
| GitHub | Source control (no customer data) | USA |
We may disclose information if required by law, to protect rights and safety, or in connection with a business transfer, in which case we will notify you as required.
5. How we protect information
- TLS 1.2+ on all network connections.
- AES-256 encryption at rest at every storage layer.
- An additional application-layer AES-256-GCM wrap on Plaid access tokens before they are persisted.
- MFA on all administrative accounts.
- Access controls, logging, dependency scanning, and endpoint security governed by our Information Security Policy.
- Annual risk reviews and incident response drills.
6. How long we keep information
| Data class | Retention |
|---|---|
| Account identity and profile | Life of account + 30 days |
| Audit responses | Life of account + 30 days |
| Plaid access tokens | Until you disconnect the integration, then deleted locally and revoked upstream |
| Detected charges | 24 months rolling, or 30 days after disconnect |
| Payment records | Per Stripe retention (typically 7 years for tax) |
| Application logs | 30 days |
Accounts inactive for 24 months receive a 30-day warning email before automatic deletion.
7. Your rights
Depending on where you live, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Delete your information. You can delete your account yourself at any time from Settings, or email us.
- Export your information in a portable format.
- Object to or restrict certain processing.
- Withdraw consent where consent is the basis.
- Lodge a complaint with a supervisory authority.
To exercise any right, email privacy@supportstacksystems.com with "Privacy request" in the subject and the email address associated with your account. We respond within 30 days. We may verify your identity before acting.
California residents: you have the rights described under the California Consumer Privacy Act (CCPA), including the right to know, delete, correct, and opt out of sale (we do not sell personal information).
Vermont residents: you have the rights described under the Vermont Consumer Data Privacy Act (VCDPA) effective 2026-07-01.
EU/UK residents: you have the rights described under GDPR / UK GDPR.
8. Children
The Service is not directed to children under 16. We do not knowingly collect information from children. If you believe a child has given us information, email privacy@supportstacksystems.com and we will delete it.
9. Cookies
We use:
- Strictly necessary cookies for authentication and session management.
- Functional cookies for preferences.
We do not use advertising cookies. Non-essential cookies, where introduced, will require consent.
10. International transfers
The Service is operated from the United States. If you access it from outside the US, your information will be transferred to and processed in the US. Where EU/UK data protection law applies, transfers rely on Standard Contractual Clauses with our sub-processors.
11. Changes to this policy
We may update this Privacy Policy. If changes are material, we will notify you by email or in-app notice at least 30 days before they take effect, where feasible. The "Last updated" date at the top indicates the most recent revision.
12. Contact
Support Stack Systems BBLLC Vermont, USA Email: privacy@supportstacksystems.com General: hello@supportstacksystems.com